Seen in the October 2005 Issue of Crosstalk, the Journal of Defense Software Engineering published by Hill AFB. This particular issue has a lot of really good articles related to security.
From: Hiram Rextall, TLA Security Head for Information Technology
To: All TLA Company Personnel
Subject: Network Passwords
As you know, restricting access to information is a cornerstone of corporate TLA culture. Unauthorized or unwanted access to the TLA company network by a person or persons unknown can have a consequence or consequences unknown. Your password is your passport to the world of corporate knowledge. Your password must be protected at all times, at all costs, and at all points of ingress or egress. Therefore, effective immediately, the following rules regarding passwords are in place and will be strictly enforced:
- Passwords must be between 23 and 37 alphanumeric characters. (As 23 and 37 are prime numbers, their use as bounds should confuse decryption techniques.)
- Passwords must contain at least three members from each of the following four groups: uppercase letters, lowercase letters, numbers, and special characters.
- The password may not contain more than five consecutive members of any of the four groups listed in No. 2.
- White space characters (space, tab, etc.) are allowed, provided a network administrator visually verifies them.
- Because all computer data is ultimately stored in binary format (a combination of ones and zeros), the numbers 1 and 0 may not be used in a password.
- Because the letter l looks like the number 1 and the letter O looks like the number 0, you cannot use l or O either. Similarly, you cannot use an exclamation point (!) or vertical bar (|).
- Lowercase letter o may be used provided it is not next to a number.
- The password may not contain any word in the English language, including I (uppercase only) and a (either case). (Company personnel operating abroad: This word restriction applies in the local language as well.)
- The password may not contain your name, your employee number, your street address, your mother’s maiden name, your pet’s name, your first grade teacher, or your supposedly secret drag queen/biker momma name. (The sorts of people who try to break into networks know that last one.)
- Passwords are to be changed every 24 hours. Because the IT department cares, you do not have to change your password every time you log in. However, should you log out without having changed your password and need to log in again within the same 24-hour period, you will have to submit a request to the IT department to have a temporary password issued. This will probably take 24 hours to process. Days are considered to begin at 0000 Zulu hours.
- The password cycle is synchronized with each 24-hour cycle. If you fail to log in during a 24-hour period, it will be necessary to create and use passwords covering the missed period. For example, upon return from a two-week vacation it will necessary to update your password 14 times.
- Passwords are to be memorized. They are not to be recorded using any media: paper, computer file, clay, wood, iron, sand, wax, Styrofoam, food, or animal parts.
- Passwords may be reused after one year.
- You may not use any other user’s current or past passwords; the one-year rule applies here.
It may seem difficult to come up with passwords that meet these requirements and are mnemonically friendly. Please keep in mind that you only need to remember each password for a single day. It may help you to associate something familiar to assist your memory with your password. For example, “The quick brown fox jumped over the lazy dog” could be used to associate to the password Dz23+8uVC**ojy~xiMn4_Q?. (Note: This password has already been taken.)
While mathematicians are still crunching the numbers, it is calculated that there are over 1014 passwords possible. However, TLA management is concerned that we may run out of passwords. To address this, IT is already working on a three-part login system (TriHard) that will make passwords obsolete. The three TriHard components include:
- Biometric fingerprint scan
- Simultaneous spring-loaded needle prick for blood sample and DNA comparison
- Optical retinal scan
A TriHard prototype involving its last two components is in alpha testing. Volunteers have been hard to come by for some reason.
IT personnel will be visiting your work areas soon seeking assistance. Keep an eye open for them.
This post is brought to you in the spirit of International Computer Security Day, which is November 30.
